JR - Health Care Compliance Association

More documents

Recommendations

Info

August 2002 6 By Craig Harriger, J.D., MBA and Paul Singleton, CISSP Editor’s note: Wm. Craig Harriger, J.D., practices, and DME providers. The system’s insurance company carries PPO, MBA (HOM) CHC, CHE, is Corporate Compliance Officer at Washoe Health HMO, and Indemnity and Medicare+ System. He may be reached at 775/982- Choice products. 5249. Paul Singleton, CISSP, is the Information Security Manager at Washoe Expanded initiative Health System. Like many organizations, Washoe employed the Charter System to form I nformation is one of the most a HIPAA Implementation Committee valuable assets of health care chaired by the Corporate Compliance organizations. The Federal Officer. As with many organizations, Government has recognized the importance of this information. As a consetially envisioned a “fast and cheap” some of the committee members iniquence, HIPAA initiatives must be approach. Others decided to preempt implemented. As HIPAA deadlines that approach with a proposed Charter approach, some organizations begrudgingly are attempting to just meet the amendment. deadlines with a minimum investment. The committee not only adopted the Others however, are taking advantage of amended Charter, but also embraced the opportunity to enhance information management across the enterprise. ing into the Charter the goal of “seize the spirit of the changes by incorporat- These organizations see this mandatory the opportunity to streamline business initiative as an opportunity to significantly enhance their value while meet- and achieve a competitive advantage processes, eliminate manual processes, ing the governmental mandates. while meeting federally mandated legislation”. In essence the group acknowledged that since HIPAA mandates the One organization that has chosen to seize this opportunity is Washoe Health consumption of certain resources and System (Washoe). Washoe is a Reno, time commitments, value-added thinking should be employed to improve the Nevada-based vertically integrated health care system serving Northern organization wherever possible. Nevada and Northern California. Washoe’s services include a 529-bed Information management mapping Medical Center, a surgery center, an inpatient rehabilitation facility (IRF), the Information Security Manager As a part of this value-added approach, extended care facilities and skilled nursing units (SNFs), in addition to a home information management scheme. identified the absence of a holistic health agency, multi-specialty physician Although there were numerous authen- CRAIG HARRIGER, J.D., MBA tication requirements in place, there were no links between the roles and departments in the management of information access. The committee reviewed the deficit and found a multitude of benefits were available that would form a competitive advantage from the process of information management mapping. The expanded initiative sought to devise a system that would meet HIPAA’s readily apparent basic requirements. For example, the new process needed to increase the ability to audit access to patients’ protected health information (PHI) both accurately and efficiently. Second, the prescribed sublevels of PHI, such as psychotherapy notes, required additional levels of scrutiny. Third, Washoe needed a tool that expedited the manner in which only the appropriate information is provided to users. Finally, the system needed to identify the appropriate method of destruction for differing classifications of information. The group identified several additional potential benefits of information management mapping. These value-added aspects include a quick and accurate gap analysis prior to a breach in the
system. Other advantages include easier approach to categorizing information dentiality, integrity, and availability. access to specific information, increased and regulating access based on need. efficiency in how information is distributed throughout the system as well as near real-time trending analysis of information use and needs. The similarity between this methodology and the HIPAA requirements and consequences is striking. Understanding determining factors All information is not of equal importance to an organization. In order to remain cost-effective, they need to Recently, some health care organiza- establish any information not consid- tions have begun to realize that effective ered worthy of protection. For exam- information classification is a competi- ple, many organizations do not want to PAUL SINGLETON, CISSP tive advantage and a cornerstone of an operative compliance plan. Creating an information classification system involves a three-step process that provides the organizations with a powerful set of tools that can assist in management processes across an organization. Initially, it is important to obtain senior management agreement that informa- invest the time and resources necessary to protect the contents of its internal phone book. This information generally can be acquired by calling an internal operator. The basic information classification analysis of this example is that the information is available to anyone in the hospital without restriction, and tion is a precious corporate asset, one thus, not confidential. Likewise, there Fundamental elements The information mapping system can be as basic or complex as an organization desires. The fundamental elements however, are information classification and access management. Once these elements are in place, the opportunity for cross-organizational integration is available. that needs to be managed as diligently as all other capital. Involvement of the board of directors and senior management accord is also important to ensure that the HIPAA compliance initiative conforms to the elements of an effective compliance program under the standards provided by the Federal Sentencing Guidelines. This should be viewed as an operational initiative. is no concern over the information being modified to anyone’s detriment (integrity), and without the phone book, the organization could continue to function with no lasting harm (availability). Obviously, information that does meet any of the above criteria would be considered public and need not be restricted. Information classification systems are often viewed as clandestine strategy employed by governmental agencies or similar organizations that have intense research and development initiatives. While this is true, these systems are also used as a means of maintaining a competitive advantage over business rivals; an advantage that could be lost in the event proprietary secrets are compro- Consider engaging other management personnel in the process. Using the Chief Information Officer (CIO) as the sole sponsor, risks having the initiative viewed as an Y2K boondoggle. A first step is to determine the classification of information. This is the most important and yet simplistic phase. This identification process requires an Not all information however, falls exclusively into one of the three determining factors, and some may actually meet the test of all three. It is generally the information that meets all three criteria that is identified as critical to the organization’s functional well-being. Decision analysis information and feasibility information are two examples of valuable, highly restricted informa- mised. assessment of the type of information tion (confidentiality and integrity) that the organization creates and maintains would have a lower level of criticality The banking, insurance, defense, and technology industries have long recognized the need for a systematized as well as the various levels of proposed personnel access. This process is a function of three determining factors: confi- than patient information (confidentiality, integrity and availability). Continued on page 8 7 August 2002
Page 1 and 2: Volume Four/Number Eight August 200
Page 3 and 4: DON’T MISS OUT! ON THE CALENDAR U
Page 5: FOCUS ON ETHICS & COMPLIANCE Compli
Page 9 and 10: uation as unique. The divide and co
Page 11 and 12: By Norman Radies Editor’s note: N
Page 13 and 14: feature article Editor’s note: Th
Page 15 and 16: there are so many issues that have
Page 17 and 18: 3. Have a witness! Do interviews wi
Page 19 and 20: leagues. Physicians can hear the me
Page 21 and 22: Alyse Hutchinson, Associate Complia
Page 23 and 24: many tasks forces as they deemed ap
Page 25: Editor and Publisher: Margaret R. D

JR - Health Care Compliance Association

Create successful ePaper yourself

Delete template?

Save as template?